Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
simple.qos had accidentally set up the egress shaper twice, once
with the true egress parameters and a second time using the ingress
parameters, effectively misconfiguring both directions. This bub
only affected situations where 3-tier ingress classification was
used.
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
sqm_logger tried tro wait indefinitely if passed an empty string.
This in turn makes sqm-scripts hang. Quoting the input argument in sqm_logger
seems to fix the problem.
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
The last batch of changes tried to teach the GUI to pass link layer
options to cake but forgot to actually call the function that parses
the GUI variables and used it as a string insteead. So this fixes that
it also tries to allow the use of the tc_stab link layer adjustment
method with cake so the implementations can be validated against each other
easily. Needs testing...
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
The cake traffic-shaper qdisc omne stop solution knows how to handle
link layer adjustments for ATM and can account for per packet overhead.
This commit adds cake as link layer adjustment mechanism in the GUI and
passes numerically specified overhead as well as the ATM linklayer
keywords on to cake. This change also passes the "advanced option strings"
from the Queue Discipline tab to cake. But as before no error checking.
This needs testing, as I have no working cake qdisc available so
caveat emptor...
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
Make clear that configuration options guarded by checkboxes are only
effective as long as those boxes are checked.
The sqm gui has giarded some advanced configuration options behind exposing
checkboxes, meaning these optiopn's values were only used as long
as those boxes were checked. This commit just improves the description of
the checkboxes to included this useage instruction...
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
The SQM gui has confused its users with an enable button, that only served to
selecively activate/de-activate sqm instances instead of controlling sqm's
initscript (which needs to be enabled so the sqm properly starts up after a reboot
and also for hotplug to work properly). luci-app-sqm will now enable sqm's
initscript when a single sqm instance get enabled. It also informs the user about
this fact in the top margin of the sqm page. Note sqm will not disable the
initscript behind the user's back if sqm instances get disabled.
While I would have prefered this notice to be more prominent an attentive user
should notice, and most users should not care anyway. This also increases the
package release number.
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
Fixed two issues in Chaos Calmer and trunk:
-troubleshooting page not displaying
-UCI arguments out of order because of switch to musl c library from uclibc
Signed-off-by: Aedan "arfett" Renner <chipdankly@gmail.com>
- BUILD/MINOR: tools: rename popcount to my_popcountl
- BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
Signed-off-by: heil <heil@terminal-consulting.de>
fixed sed when filtering IP address from nslookup output
because "Server:" block might have multiple address lines.
Thanks to Arjen de Korte
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Released version 1.5.13 with the following main changes :
- BUG/MINOR: check: fix tcpcheck error message
- CLEANUP: deinit: remove codes for cleaning p->block_rules
- DOC: Update doc about weight, act and bck fields in the statistics
- MINOR: ssl: add a destructor to free allocated SSL ressources
- BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
- MEDIUM: ssl: replace standards DH groups with custom ones
- BUG/MINOR: debug: display (null) in place of "meth"
- BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
- BUG/MEDIUM: cfgparse: segfault when userlist is misused
- BUG/MEDIUM: stats: properly initialize the scope before dumping stats
- BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels
- CLEANUP: checks: fix double usage of cur / current_step in tcp-checks
- BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
- CLEANUP: checks: simplify the loop processing of tcp-checks
- BUG/MAJOR: checks: always check for end of list before proceeding
- BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
- BUG/MEDIUM: peers: apply a random reconnection timeout
- BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
- MEDIUM: init: don't stop proxies in parent process when exiting
- MINOR: peers: store the pointer to the signal handler
- MEDIUM: peers: unregister peers that were never started
- MEDIUM: config: propagate the table's process list to the peers sections
- MEDIUM: init: stop any peers section not bound to the correct process
- MEDIUM: config: validate that peers sections are bound to exactly one process
- MAJOR: peers: allow peers section to be used with nbproc > 1
- DOC: relax the peers restriction to single-process
- CLEANUP: config: fix misleading information in error message.
- MINOR: config: report the number of processes using a peers section in the error case
- BUG/MEDIUM: config: properly compute the default number of processes for a proxy
Signed-off-by: heil <heil@terminal-consulting.de>
That allows to restart transmission when it crashes, to limit
the memory used by it, as well as be jailed in the directories
it is supposed to access.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
sqm-scripts for a long time interprets a "Down- or Upload speed" of zero as
an indication that the shaper should be disabled. Note that really shaping
an individual direction down o zero will make the link effectively dead
for tcp (think reverse ACK traffic). Son instead of allowing the user to
configure something broken, 0 was "over-loaded" to denote no shaping
since several years, but that information has not been documented visibly
to the users. This commit aims at fixing that oversight.
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
- [PATCH 1/2] BUG/MEDIUM: stats: properly initialize the scope before
- [PATCH 2/2] BUG/MEDIUM: http: don't forward client shutdown without
- [PATCH 3/8] BUG/MINOR: check: fix tcpcheck error message
- [PATCH 4/8] CLEANUP: checks: fix double usage of cur / current_step
- [PATCH 5/8] BUG/MEDIUM: checks: do not dereference head of a
- [PATCH 6/8] CLEANUP: checks: simplify the loop processing of
- [PATCH 7/8] BUG/MAJOR: checks: always check for end of list before
- [PATCH 8/8] BUG/MEDIUM: checks: do not dereference a list as a
- [PATCH 09/10] BUG/MEDIUM: peers: apply a random reconnection timeout
- [PATCH 10/10] DOC: Update doc about weight, act and bck fields in the
- [PATCH 11/14] MINOR: ssl: add a destructor to free allocated SSL
- [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value
- [PATCH 13/14] BUG/MINOR: cfgparse: fix typo in 'option httplog' error
- [PATCH 14/14] BUG/MEDIUM: cfgparse: segfault when userlist is misused
Signed-off-by: heil <heil@terminal-consulting.de>
* fix Makefile to force compression of tld_names.dat reported in OpenWrt Ticket 19597
* change default of retry_count to "0" (retry endless) suggested by Henning Schild
* updated tld_names.dat include changes until 07.05.2015
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
It used to require 1+ IPv4 addresses to start on Linux. Now it starts
up with 0 addresses (of any type), as netlink can provide us more
later. This way, no stupid restart loop with procd if it is racing
with netifd at startup.
Signed-off-by: Steven Barth <steven@midlink.org>
[RELEASE] Released version 1.5.12
Released version 1.5.12 with the following main changes :
- BUG/MINOR: ssl: Display correct filename in error message
- DOC: Fix L4TOUT typo in documentation
- BUG/MEDIUM: Do not consider an agent check as failed on L7 error
- BUG/MINOR: pattern: error message missing
- BUG/MEDIUM: pattern: some entries are not deleted with case insensitive match
- BUG/MEDIUM: buffer: one byte miss in buffer free space check
- BUG/MAJOR: http: don't read past buffer's end in http_replace_value
- BUG/MEDIUM: http: the function "(req|res)-replace-value" doesn't respect the HTTP syntax
- BUG/MEDIUM: peers: correctly configure the client timeout
- BUG/MINOR: compression: consider the expansion factor in init
- BUG/MEDIUM: http: hdr_cnt would not count any header when called without name
- BUG/MEDIUM: listener: don't report an error when resuming unbound listeners
- BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only
- BUG/MEDIUM: stream-int: always reset si->ops when si->end is nullified
- BUG/MEDIUM: http: remove content-length from chunked messages
- DOC: http: update the comments about the rules for determining transfer-length
- BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to HTTP/1.1
- BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad request
- BUG/MEDIUM: http: remove content-length form responses with bad transfer-encoding
- MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230
- MEDIUM: http: add option-ignore-probes to get rid of the floods of 408
- BUG/MINOR: config: clear proxy->table.peers.p for disabled proxies
- MINOR: stick-table: don't attach to peers in stopped state
- MEDIUM: config: initialize stick-tables after peers, not before
- MEDIUM: peers: add the ability to disable a peers section
- DOC: document option http-ignore-probes
- DOC: fix the comments about the meaning of msg->sol in HTTP
- BUG/MEDIUM: http: wait for the exact amount of body bytes in wait_for_request_body
- BUG/MAJOR: http: prevent risk of reading past end with balance url_param
- DOC: update the doc on the proxy protocol
Signed-off-by: heil <heil@terminal-consulting.de>
seccomp is only supported on x86, amd64 and arm in tor.
This deactivated it currently completely which should close#935,
#1097, #1147 and #1161.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds a patch for ser2net, so that ser2net can be configured
to flash leds on serial traffic. This could -for example- be used
to have an activity indicator, like netdev trigger.
Internally, the linux kernel's 'transient' led trigger is used.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Updated the package to the latest upstream version.
Removed a patch that was merged upstream.
Bumped copyright notice to 2015.
Signed-off-by: Martin Rowe <martin.p.rowe@gmail.com>
This commit brings back Wifidog from the oldpackages
repository.
Changes:
* Wifidog version 1.2.1
* Add wifidog-tls package
* Init script uses procd
Signed-off-by: Michael Haas <haas@computerlinguist.org>
Inspired by OpenWrt Ticket System Ticket 9119
Python3 package currently marked as @BROKEN because no time for testing.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
As Hnyman noted in https://github.com/dtaht/ceropackages-3.10/issues/13
we carry a few unnecessary dependecies in sqm-scripts, so remove one of
them (iptables-mod-filter) as we neither use it nor plan to use it.
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
- update to latest version (v1.0.16)
- add license info
- add myself as maintainer
- install dev files the proper way in Build/InstallDev
- rename sctp package to libsctp
- add an sctp-tools package and an sctp transitional meta package
Signed-off-by: Nicolas Thill <nico@openwrt.org>
- [PATCH 3/9] BUG/MEDIUM: Do not consider an agent check as failed on
- [PATCH 4/9] BUG/MEDIUM: peers: correctly configure the client timeout
- [PATCH 5/9] BUG/MEDIUM: buffer: one byte miss in buffer free space
- [PATCH 6/9] BUG/MAJOR: http: don't read past buffer's end in
- [PATCH 7/9] BUG/MEDIUM: http: the function "(req|res)-replace-value"
- [PATCH 8/9] BUG/MINOR: compression: consider the expansion factor in
- [PATCH 9/9] BUG/MEDIUM: http: hdr_cnt would not count any header when
Signed-off-by: heil <heil@terminal-consulting.de>
* fix problem with lucihelper script reported in OpenWrt Ticket 19419
* rewritten split_FQDN fixing detection errors and using zcat
* updated tld_names.dat and .gz compressed to save space
* add LoopiaDNS (loopia.se) to services_ipv6
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Alarm Pinger (apinger) is a little tool which monitors various IP devices by
simple ICMP echo requests. There are various other tools, that can do this,
but most of them are shell or perl scripts, spawning many processes, thus much
CPU-expensive, especially when one wants continuous monitoring and fast
response on target failure.
Signed-off-by: Alex Samorukov <samm@os2.kiev.ua>
Some VPN servers might be configured in a way that a CSD wrapper script
is mandatory to complete the authentication process, allow that to be
specified for openconnect.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Some servers might be implementing ACLs based on the value specified by
openconnect for "os", allow that to be configured.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
- Ensure only valid UTF-8 is passed to libidn. It was found
(CVE-2015-2059) that libidn can read beyond the boundaries of the
provided buffer when an input string contains invalid UTF-8 sequences.
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
This patch removes some autoconf goo which is causing bind to use the host's ar
instead the ar from the toolchain. If they're both elf platforms this is fine,
but it's no good if host is darwin.
Signed-off-by: Lawrence D'Anna <larry@elder-gods.org>
The initial conversion to restart sqm on interfaces it is configured
for in case of (transient) dis- and reappearance was half finished.
These changes clean up the handling of exlicitly passed interfaces
in run.sh: no second argument defaults to all configured interfaces
the alternative is an individual interface name passed as 2nd
argument to run.sh. The first argument either is start or stop.
No argument at all will behave as if start was passed.
Survives light testing...
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
Alan Jenkins noted a bug in the smq luci GUI that effectively
erased several configuration paramters if two checkboxes were deselected.
This behaviour seems consistent in luci but certainly has the potential
to confuse users. While confusion can not really be avoided generally
it seems wise to change the default interpretation for empty or non-existent
itarget and etarget variables from the qdisc's default (5ms in the case of
one of the codels) to automatic determination of tghis variable dependent on
the configured bandwidth, as codels target variable should be large enough
to contain at least one full packet. With this change sqm-scripts will
do the right thing by default, but will yet allow the user to specify
over-ridding values (as long as the user does not un-check the
entry-field exposing check boxes). Survives light testing...
This change set also changes the sqm-scripts luci gui to note the user
of the change. For compatibility with existing setups sqm-scripts
will still honor "auto" as an alternative explicit way of requesting
automatic target selection. This might turn into a warning in the future
and might be phased out...
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
Package ethtool is missing dependencies for the following libraries:
libssp.so.0
Makefile:45: recipe for target '/home/zero/development/openwrt/bin/ar71xx/packages/packages/ethtool_3.18-1_ar71xx.ipk' failed
Signed-off-by: Rick Farina (Zero_Chaos) <zerochaos@gentoo.org>
From: Michael Haas <haas@computerlinguist.org>
* init script no longer creates certificates (consider client mode as use
case)
* patches/010_fix_getnameinfo.patch: Fix getnameinfo signature
* patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it
is not always available in OpenWRT
* old patches (in oldpackages) no longer necessary
* remove libwrap dependency
* remove libpthread dependency
* respect CONFIG_IPV6
* init script uses procd
* sample stunnel.conf runs in client mode - prevents start failure,
does not require cert
Possible enhancement: automatically generate certificate as done in
uhttpd. However, as client mode is a possible use case, I'd rather not.
Additionally, stunnel may use several certs with user-defined locations
and we can't easily set a cert location via command-line args.
The package is based on
https://sites.google.com/site/twisteroidambassador/openwrt/stunnel
Signed-off-by: Michael Haas <haas@computerlinguist.org>
This patch add a new package, git-http, that contains all
http related commands (and ftp as extra). All http/ftp
depends on libcurl. Even without SSL suport in libcurl,
git compiles and it returns an informative error only
at runtime.
The use of symlinks now are trigged using NO_INSTALL_HARDLINKS env
and not based only on Makefile patch.
imap-send was kept builtin and idependent of curl (just as it was
before)
Template files, which are not necessary, where removed.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Previously, ./configure was running checking local system and not
OpenWRT target. This would avoid any configure test about OpenWRT
libraries.
With a patch in configure, non cross-compiling-friend test are
ignored and Makefile can use default configure.
As side effect, git commands are now at /usr/lib/git-core and not
/usr/libexec/git-core.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
- use https URL for fetching sources from GitHub, otherwise cloning
sources could stall buildbots by asking to accept a/the SSH host key
- do not _depend_ on DEPENDS but _select_ them, so the package(s) always
appear in menuconfig, not only when all dependencies are already
selected --> dependencies are automatically pulled in when package
is selected by user
- use PKG_INSTALL
- factor out the libeibclient library as own package
- use CONFIGURE_ARGS instead of dedicated Build/Configure
- same for TARGET_CFLAGS and Build/Compile
- do not include /etc/functions, already included by /etc/rc.common
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
During system start up pppoe devices seem to receice ifup events before
the interface actually exists. This commit makes sqm's run.sh script
test whether the sys files for an interface exist before actually trying
to start an SQM instance on an interface. This seems to nicely avoid
starting on an not fully established pppoe interface and avoids a number
of error messages during startup.
In addition, debug logging is disabled.
Signed-off-by: Sebastian Moeller <moeller0@gmx.de>
fix build errors on Arch Linux/Fedora 20
config.log trying to link with /usr/lib/libcrypt.so
/usr/lib/libcrypt.so: undefined reference to `memset@GLIBC_2.2.5'
linkage is AC_LIB_HAVE_LINKFLAGS macro behaviour
see http://marc.info/?l=gnulib-bug&m=129660262901148
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
config.log reports
WARNING: uuid support disabled as libblkid is too old
because the test macro AC_BLKID_VERS is not cross compile friendly
resulting in libblkid_cv_is_recent=unknown
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
Some interfaces like wan-pppoe go away, when the ppp connection is lost
and get recreated once the link is established again. SQM now
has its own hotplug script to re-enable itself on the interfae just hotplugged.
SQM will not touch other instances of itself running on other interfaces
if called by hotplug.d. The implementation now allows this functionality by
calling run.sh like:
/usr/lib/sqm/run.sh interface YOUR_INTERFACE_NAME_HERE
e.g.: /usr/lib/sqm/run.sh interface ge00-pppoe
If called with a specific interface SQM will only try to disable itself
on that interface to clean up all left over state and the re-enable
itself on just that interface. Hopefully that allows for better service
with instable interfaces like pppoe. The current code passes a simple manual
stop start test of the ge00-pppoe interface from the GUI and does seem
to do the right thing, at least on cerowrt 3.10.50-1...
